ISPConfig Multiserver setup (public or behind a firewall)

Discussion in 'ISPConfig 3 Priority Support' started by jhonatandiazp, May 4, 2021.

  1. jhonatandiazp

    jhonatandiazp New Member HowtoForge Supporter

    Hello everyone,
    I am new to the whole world of linux/hosting. Quick question. For this setup, it is better to have it with public IP, or behind the firewall doing 1:1 one to one mapping? I do not what to start over the setup for my mistake.

  2. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    Public ip is simpler, I'd go that route if it were me.
    Th0m likes this.
  3. jhonatandiazp

    jhonatandiazp New Member HowtoForge Supporter

    Thank you. Will do then. I will modify my setup. Thanks
  4. ahrasis

    ahrasis Well-Known Member HowtoForge Supporter

    Firstly, I think you mean behind NAT (e.g. load balancer, high availability proxy, router etc) and not the normal firewall, because the server setup in ISPConfig guides suggested they are all firewalled except for certain ports that are needed for certain access.

    And from what I understand @Jesse Norell said it is simpler (easier) to setup ISPConfig multi servers using their public ip but that doesn't means it is better as I think it depends on various factors.

    And being new in this linux world doesn't always mean you are not capable of researching the whole server concept and ISPConfig as its backbone behind NAT or otherwise not.

    I'd say keep this discussion opened while you sketch and plan your ISPConfig multi server setup, as in my mind, you might not want all servers to be accessible via its public ip for some reasons.

    As you said it yourself:
  5. jhonatandiazp

    jhonatandiazp New Member HowtoForge Supporter

    Thank you so much for the commend. I have been reading about what will be the best option for me. I do not like to leave my server open to the public. I would like them to be behind a firewall. That is what I am trying to decide, what to do. If I have them behind the firewall, then I will need to use 1:1 to one mapping to be able to forward ports.
  6. Th0m

    Th0m ISPConfig Developer Staff Member ISPConfig Developer

    You can set up a firewall on the server itself.
  7. Jesse Norell

    Jesse Norell ISPConfig Developer Staff Member ISPConfig Developer

    That is a very good plan. We generally use 2 different firewalls (sometimes 3) even (eg. a host level and network level), as sometimes one will be disabled for some inadvertent reason, so the extra layer(s) helps things stay secure.

    As for NAT, I can certainly throw in with the ipv6 perspective that nat is not intended as a security feature, and is simply a workaround for running out of ipv4 addresses, and it makes quite a few things more complicated. The address translation requires that you forward specific ports (and some nat configurations, as well as services like upnp, make it quite easy to forward more than you thought/intended), and sometimes rewrite packet contents, to make things work; a firewall (using public addrs) similarly requires that you allow certain ports, but doesn't require rewriting packets. So the security provided by using a NAT is due to the it not forwarding all traffic to the endpoint - exactly the same as a firewall (and you often have more features/capability to control traffic with a firewall than nat).

    I'll also throw in with the "nat provides security" camp, at least compared to how most end users handle their connections. When most users had a single computer, it connected directly to the internet, and there was almost never a firewall. (And to make it worse, they almost all ran windows.) Then as home networks grew, you needed to share connections, and with ipv4 addrs being fewer, everyone used NAT for their private network addrs - and that was/is much better than directly connected machines. But you almost certainly will not use NAT with ipv6, so if you have the option to use public addrs with ipv4, you can start learning to manage firewalls now to provide the filtering, and you won't have such a change in mindset and tools to deal with down the road. And it's simpler.
    jhonatandiazp and ahrasis like this.
  8. jhonatandiazp

    jhonatandiazp New Member HowtoForge Supporter

    Thank you. will do.

Share This Page